Sunday, October 5, 2014

HOW TO CONFIGURE RODC(READ ONLY DOMAIN CONTROLLER) IN SERVER 2012R2

HOW TO CONFIGURE RODC(READ ONLY DOMAIN CONTROLLER)



1 – You need to verify requirements for installing a RODC in your environment. One of the important requirement is the forest functional level, verify that your forest functional level is set to Windows Server 2003 or newer. In my case, my forest functional level is already set to Windows Server 2012 R2.
To verify the forest functional level, log in to your AD Server, open Active Directory Users and Computers, right-click the Comsys.local domain, and then click Raise domain functional level and  confirm that the Current domain functional level is set to Windows Server 2012 R2…
1
2
2 – Next, in Active Directory Users and Computers, right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account
3
3 – In the Active Directory Domain Services Installation Wizard box, click Next
4
4 – Click Next to accept the current credentials which is Comsys\Administrator…
5
5 – In the Computer name box, type Comsys-RODC01, and then click Next…
6
6 – On the Select a site box, click Next
7
7 – On the Additional Domain Controller Options box, verify that DNS Server and Global catalog is selected and click Next…
8
8 – On the Delegation of RODC Installation and Administration box, type COMSYS\IT Dept (my IT Dept group will be able to attach a server to the RODC account that I creating now) in the Group or user field, and then click Next…
9
9 – On the Summary page, click Next
10
10 – Click Finish to complete the process and in the Active Directory Users and Computers, click Domain Controller OU and you will see Comsys-RODC01 is listed
11
12

As at now, we done verify RODC requirement and delegate RODC Installation and Administration to IT Dept group…
Next, lets install RODC on the ComSys RODC server…
11 – Log on to Comsys-RODC01 server
13
12 – open Server Manager, click Manage, and then click Add Roles and Features
14
13 – In the Add Roles and Features box, click Next
15
14 – Ensure that Role-based or feature-based installation is selected, and then click Next…
16
15 – Select Comsys-RODC01, and then click Next…
17
16 – On the Select server roles box, select the check box to select Active Directory Domain Services, click Add Features, and then click Next…
18
17 – On the Select features box, click Next…
19
18 – Click Next, and then click Install to proceed with the installation…
20
21
19 – wait for few minutes for the installation to complete…
22
20 – After the installation complete, on the Installation progress box, click Promote this server to a domain controller…
23
21 – In the Deployment Configuration boxverify that you select Add a domain controller to an existing domain, then click Select…
24
22 – In the Windows Security box, type comsys\morgan (Morgan is my user in IT dept) for User name and enter the password for Morgan, and then click OK…
25
23 – verify also under Specify the domain information for this operation,Comsys.local domain is selected and then click Next…
26
24 – Next, in the Domain Controller Options box, under Type the Directory Services Restore Mode (DSRM) password, type your password in the Password and Confirm password fields, and then click Next…
27
25 – On the Additional Options box, beside Replicate from, click the drop-down box, click DC01.Comsys.local, and then click Next…
28
26 – On the Paths box, click Next to proceed…
29
27 – On the Review Options box, click Next
30
28 – On the Prerequisites Check box, verify that all prerequisite checks passed successfully and then click Install and after the ADDS process has completed, Comsys-RODC01 server will restart.
31
Once the Comsys-RODC01 server restart, we need to configure password-replication groups
** a password replication policy (PRP) determines which user and computer credentials can be cached on a specific RODC.
29 – Log on to DC01 server, open Active Directory Users and Computers, click the Users container, double-click Allowed RODC Password Replication Group
32
30 – then click the Members tab, and then verify that there is nothing listed
33
31 – Next, click the Domain Controllers OU, right-click COMSYS-RODC01, and then click Properties…
34
32 – Click the Password Replication Policy tab, and confirm that Allowed RODC Password Replication Group and Denied RODC Password Replication Policy Group are both listed
34
Next, lets create a group to manage password replication to our branch office RODC server (COMSYS-RODC01)…
33 – in Active Directory Users and Computers, right-click the Production OU, click New, and then click Group…
35
34 – In the New Object – Group window, type Comsys Branch Office Users in the Group name field, confirm that Global and Security are selected, and then click OK…
36
35 – In Active Directory Users and Computers, click the Production OU, and then double-click the Comsys Branch Office Users group, then in the Comsys Branch Office Users Properties box, click the Members tab and add few members such as Bart, Booby, Marko and Surface01 laptop
37
Next, we also need to configure a password-replication policy for the branch office RODC server (COMSYS-RODC01)…
36 – in Active Directory Users and Computers, click the Domain Controllers OU, right-click COMSYS-RODC01, and then click Properties, click the Password Replication Policy tab, and then click Add then In the Add Groups, Users, and Computers window, click the radio button to select Allow passwords for the account to replicate to this RODC, and then click OK.
38
37 – In the search window, in the Enter the object names to select field, type Comsys Branch Office Users and then click OK…
39
38 – In the COMSYS-RODC01 Properties box, click OK…
40
Next, lets evaluate the resulting password-replication policy for our RODC…
39 – in the COMSYS-RODC01 Properties box, on the Password Replication Policy tab, click Advanced
41
40- Click the Resultant Policy tab, then add user name Bart (Bart is my Production user), verify that the Resultant Setting for Bart is Allow…
42
41 – Next on the RODC Server (COMSYS-RODC01), sign in as comsys\bart. The sign in will fail, because Bart does not have permission to sign in to COMSYS-RODC01. However, the credentials for Bart’s account were processed and cached on COMSYS-RODC01.
43
44
42 – Log on back to Domain Server, in Active Directory Users and Computers, click the Domain Controllers OU, double-click COMSYS-RODC01, and then click the Password Replication Policy tab, on the Password Replication Policy tab, click Advanced and  Notice that Bart’s account’s password has been stored on RODC.
45
Lastly, lets prepopulate credential caching (always remember, do not cache passwords for domain-wide administrative accounts
43 – On the Password Replication Policy tab, click Advanced, and then clickPrepopulate Passwords
46
44 – In the Select Users or Computers box, I add Bobby and my Surface01, then click OK
47
45 – Confirm that my user Bobby and Surface01 laptop have both been added to the list of accounts with cached credentials and then click Yes…
48
49
Orait, that’s all for today.. I recommend that you read more on this RODC, it’s a good function provided you understand when & where to implement it…

No comments:

Post a Comment